Video: Descent of the Phoenix

HOUSTON — Nearly 40 years ago, the Apollo 11 lunar module lowered itself to the moon's surface, precariously balanced on a stream of fire from its braking engine. The final seconds before contact were the most dramatic. And once the two astronauts were on the surface, their first words were not the phrases about Tranquility Base and the Eagle having landed.

The first words were even more important to the guys turning blue at Mission Control: “OK, engine stop.”

On Sunday, the same sort of drama played out on Mars. When NASA's Phoenix Mars Lander neared the Red Planet's surface, balanced on its own fountain of fire, the critical moment came when it turned off the engine at the right moment — neither too soon, nor too late. The next step? Keeping it off.

Moments after the landing craft reached the surface, Phoenix's autopilot initiated an automatic sequence to "safe" the propulsion system.

When the engines shut down once and for all, that marked NASA's first successful rocket-powered landing since the Viking missions of 1976. That sparked cheers at NASA's Jet Propulsion Laboratory in Pasadena, Calif. — but at the same time, you couldn't help but feel a little sad to see those engines go dead forever.

Phoenix's two fuel tanks contained hydrazine fuel for the lander's eight engines, kept under high pressure by helium that is fed in from other tanks. The helium and the hydrazine were separated in the fuel tanks by flexible bladders.

During the final minutes of Phoenix's descent, the pressurized helium pushed fuel into the engines for the crucial retro firing. As fuel was expended, more pressurized gas filled the expanding gas side of the bladder. By the time the lander reached the surface, most of the fuel was used up.

At that point, the excess helium and hydrazine were a liability. The leftover hydrazine could have expanded as it warmed, potentially rupturing the fuel lines.

“The tanks weren’t designed to go through repeated freeze-thaw cycles on the surface,” Lewicki explained. “It could damage the spacecraft, or leak out and contaminate the ground to be studied.”

To avoid those nightmares, the lander was programmed to start dumping the gas and the fuel within a minute after landing — even as Phoenix beamed back word of its safe landing.

“We will fire two pyrotechnic valves to open the pressurization feed lines,” Lewicki said last week. “We’ll see the pressure and temperature dropping immediately.”

Hydrazine headaches
These hydrazine engines caused a headache — and possibly a fatal heart attack — for Phoenix’s predecessor mission, the Mars Polar Lander. That probe vanished in 1999 during its landing attempt, probably the victim of too little double-checking of its design and fabrication. The management mantra in the 1990s was "Faster, Cheaper, Better" — a principle that led to some early spectacular successes, such as the airbag-cushioned Mars Pathfinder landing in 1997, but later became the root cause for a series of embarrassing and expensive setbacks.

One design flaw discovered only after Polar Lander was launched toward Mars was that the engines would probably be too cold to survive the first hot pulse when they were ignited during final descent. In an attempt to address this threat, operators turned on the probe’s fuel-tank heaters for several hours before landing. But the probe had a lot of thermal insulation between the fuel tanks (where the heaters were) and the engines (which were feared to be too cold). As a result, the scheme's effectiveness was never assured.

That question, like many others sparked by Polar Lander's inadequate design, was firmly put to bed in the years that followed. Phoenix's engines were equipped with their own heaters (“We put them in the right place this time,” Lewicki boasted with a laugh) and clearly survived the cold-soak of the long Earth-to-Mars coast. This was proven in advance when several engines were taken off the lander that was meant to follow Polar Lander — the spacecraft that later became Phoenix —and installed on NASA's Mars Reconnaissance Orbiter. When MRO arrived at Mars, the engines fired perfectly to slow it into a survey orbit.

Premature shutdown?
The original lander design had another flaw that most observers think was the most likely cause of Polar Lander's crash: a tendency to shut off the descent engine too early, and thus hit the ground too hard to survive. That flaw, too, was fixed.

After Polar Lander's mysterious disappearance, engineers worked mightily to find any potentially fatal design flaws — and the most critical one was discovered not by analysis, but by accident. During mechanical testing of the follow-on lander, an interesting anomaly was uncovered.

The lander's autopilot is supposed to control the firing of the braking engine all the way to the surface, and stop the engine just at contact. It knows when to stop when sensors in the shoulder of any of the landing legs indicate flexure — that is, the upward bending that happens when the feet thump down on the ground. When the radar measures an altitude of about 100 feet (30 meters), the autopilot starts checking for that flexing, and commands "engine stop" as soon as it is detected.

After Polar Lander's failure, testers discovered that the flexure indicator could be set spuriously when the legs initially unfolded from their tucked-under stowed position. Driven by springs, the legs would hinge outwards and snap into position — sometimes hitting the hard stops with enough force to mimic the shock of touchdown and set the contact indicator.

If that actually happened during Polar Lander's descent — and this could be confirmed sometime in the next century when the crashed probe's computer is located and retrieved for study — the autopilot would have detected contact immediately when it checked the status indicators. The engines would have been shut off high above the surface, and the fall from that height would have smashed the probe.

This flaw was easy to fix. But the fact that it was so hard to find was scary, and remains worrisome in regard to what else might still have slipped past the reviews and the tests.

Did NASA cut corners on engine testing?
Back in the 1990s, as a cost-cutting measure, Polar Lander's engines were never actually tested. Instead, they were certified purely on the basis of previous flight experience. In the “circle-the-wagons” embarrassment that followed Polar Lander's loss, NASA officials admitted the error but refused to reveal which space vehicle had carried such thrusters in the past.

At the time, there were rumors that the engine was used for a military multiple-warhead carrier mounted on an intercontinental ballistic missile. As such, the engine would be qualified to start up in a warm underground silo, for a mission of no more than 30 minutes ending in nuclear annihilation. The idea that this would be "close enough" for use on a chilly 10-month flight to Mars seemed preposterous — but no one would confirm the rumors.

That was then, and this is now: Lewicki said he had no problem discussing Polar Lander's engine.

“It’s a standard Aerojet engine, model MR-107-N,” he happily told me when asked. “Before it flew on MPL, it had flown on intercontinental ballistic missiles.” Its predecessor, the MR-107, had also flown in an upper stage for the small Athena satellite launcher in the 1990s, the Encyclopedia Astronautica Web site notes.

Bill Smith, executive director of the Aerojet plant in Redmond, Wash., that builds the company's in-space rocket engines, confirmed that this was the engine model involved in both the Polar Lander and Phoenix. "It's the same engine," he said in a telephone interview with msnbc.com late Friday. "It's been used on a number of satellite launch vehicles."

Smith didn't think the cold engine posed a problem for Polar Lander. "After the loss of the lander, we ran ignition tests all the way down to -40 degrees F," he told msnbc.com. "The engine started up and worked just fine." He believes Polar Lander was felled by the premature shutdown.

‘We won't have liftoff ...’
Now that Phoenix Mars Lander's engines are shut down, they'll stay shut down. That means the lander is doomed to be frozen in place during the dark, cold Martian polar winter ahead. Phoenix will become encased in carbon dioxide ice for months, ruling out any prospects for further operations.

So why not "take off" at the end of the mission? Why not keep some fuel around to burp the engines briefly, rise a few meters, and then come back again a short distance from the original site? This would permit observation of the depressions caused by the landing pads and the scouring effects of the engines, and would provide stereoscopic views of portions of the horizon to help determine the distance to nearby features.

This is exactly what the Surveyor 6 moon probe did in 1967. It performed the first-ever launch from the lunar surface on Nov. 17, 1967, when it rose 13 feet (4 meters) above the surface and then landed 8 feet (2.5 meters) from its original landing spot.

The temperature makes a big difference. Surveyor's hop came only eight days after its initial landing, and the tanks had stayed warm in full sunlight. Phoenix, in contrast, is expected to operate in place for months amid frigid conditions. For safety's sake, it's better to dump the fuel. Once this Phoenix alighted on Mars, there would be no rising from the flames or the frost.

The propulsion system's last gasp probably came less than an hour after landing, when the final bit of helium gas hissed out of the dump valve into Mars' thin atmosphere.

The gas coming out of the propellant tank may have had minute traces of hydrazine that seeped through the bladder wall. It might have been enough, Lewicki imagines, to create a spray of small hydrazine snowflakes across the surface, a thin white hoarfrost that would quickly evaporate even at polar temperatures. It would leave behind nothing — nothing, that is, but a spacecraft safely on the surface, delivered by a propulsion system that was awakened from the dead and then died peacefully again.

This is an updated version of a report that was originally published on May 23, 2008.